The invention relates to controlling the user access to an other system through a mobile communications network.
Mobile communications system refers generally to any telecommunications system which enable a wireless communication when users are moving within the service area of the system. A typical mobile communications system is a Public Land Mobile Network (PLMN).
Often the mobile communications network is an access network providing a user with a wireless access to external networks, hosts, or services offered by specific service providers. The user must have a subscribership with the mobile communications system in order to be able to use the services of the mobile system. Normally, in addition to the mobile subscribership, a separate subscribership is needed with each one of the other service providers whose services are accessed through the mobile communications network. The mobile subscriber data of the user may indicate which external service the user is authorized to use and which access point or gateway node the service request should be routed. The access point or gateway node then provides further access to an external network or an external host. In this case the service request is routed in basis of a service definition in the mobile subscriber data stored by a mobile network operator, and therefore there is no need for further authentication of the user by the gateway or the service provider.
It is, however, desirable that the user is able to select the service provider or the most suitable access point of the service provider. For example, the use of the TCP/IP (Transmission Control Protocol/Internet Protocol) data network, i.e. the Internet network has increased very rapidly. Before the user can connect to the Internet, he has to have a contract with an Internet service provider ISP, who provides access to the Internet via one or more Internet access points IAP. The IAP may be a e.g. a commercial operator, university or private company. An ordinary subscriber of a conventional wired network usually needs only one IAP, the one which is closest to him, and thus has the lowest costs. A mobile subscriber may, however, roam within a large area covering one or more countries. If the mobile subscriber always uses the same IAP (home IAP) to connect to the Internet, call (data transmission) costs may increase considerably. The subscriber""s Internet service provider ISP may have numerous IAPs available all around the world, and therefore it is desired that a user is able to select a nearest IAP instead of the home IAP which may be defined in the mobile subscriber data. Similar need for capability of selecting the access point by the user may be encountered also in the services other than the Internet.
The general packet radio service GPRS is a new service in the GSM system, and is one of the objects of the standardization work of the GSM phase 2+ at ETSI (European Telecommunication Standard Institute). The GPRS operational environment comprises one or more subnetwork service areas, which are interconnected by a GPRS backbone network. A subnetwork comprises a number of packet data service nodes SN, which in this application will be referred to as serving GPRS support nodes SGSN, each of which is connected to the GSM mobile communication network (typically to base station systems) in such a way that it can provide a packet service for mobile data terminals via several base stations, i.e. cells. The intermediate mobile communication network provides packet-switched data transmission between a support node and mobile data terminals. Different subnetworks are in turn connected to an external data network, e.g. to a public switched data network PSPDN, via GPRS gateway support nodes GGSN. The GPRS service thus allows to provide packet data transmission between mobile data terminals and external data networks when the GSM network functions as an access network.
In GPRS network the mobile station MS may optionally indicate, in a message requesting to activate a packet data protocol (PDP) context in the network, an access point name for selection of a reference point to a certain external network. A serving GPRS support node SGSN authenticates the mobile user and sends a PDP context creation request to a gateway node GGSN selected according to a GGSN address stored in the subscriber data or according to the access point name given by the MS, or to default GGSN known by the SGSN.
The inventors of the present invention have realized that this type of access point selection by the user may, however, create severe security problems when the mobile user is authenticated by the serving point (such as the SGSN) in the access network but not by the access point selected (such as the GGSN). The user may request any access point, although it may be authorized to use only one of the access points, and the request will be always forwarded to the access point requested. The access point receiving the request is not able to determine whether the request is allowed by subscription or selected by the user. As the access point (e.g. GGSN) may be connected directly to a private corporate network, for example, this could be a problem.
Similar security problems may arise in any mobile communications network.
An object of the present invention is a method which overcomes or alleviates the above described problems.
An aspect of the present invention is an access control method for a mobile communications system as claimed in the attached claim 1.
Another aspect of the invention is an access control arrangement for a mobile communications system as claimed in the attached claim 8.
An access point from a mobile communications system to an external system can be selected at a serving node of the mobile communications system based on at least two or three grounds of selection: the subscription data of a mobile subscriber stored in the mobile communication system or an access point selection data given by a user in a service request, or on other grounds. The other grounds may include a default access point which, according to a configuration data defined in the serving node, supports the requested protocol type A further service request is sent from the serving node to the access point selected. According to the present invention the serving node is arranged to always indicate to an access point the grounds of the selection, i.e. whether the access point is selected by subscription, by user, or based on any other grounds. Thereby the access point is able to distinguish and accept service requests in which the rights of the user are already assured by the subscription, without any security problems. When the request is based on the selection of the access point by the user, or on any other insecure grounds, the access point is able to make any further actions to ensure the security. These further actions may include rejection of the service request, a further authentication of the user, providing the external system with information that the user may be unauthorized user (which information allows further security actions by the external system), etc. The external system may be, for example, an external network, a host computer, a service center, etc.
In the preferred embodiment of the invention the mobile communications network is a packet radio network, such as GPRS.